/* * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html */ #include #include #include #include #include #include #include #include #include "crypto/evp.h" #include "crypto/decoder.h" #include "crypto/evp/evp_local.h" #include "crypto/lhash.h" #include "encoder_local.h" #include "internal/namemap.h" #include "internal/sizes.h" int OSSL_DECODER_CTX_set_passphrase(OSSL_DECODER_CTX *ctx, const unsigned char *kstr, size_t klen) { return ossl_pw_set_passphrase(&ctx->pwdata, kstr, klen); } int OSSL_DECODER_CTX_set_passphrase_ui(OSSL_DECODER_CTX *ctx, const UI_METHOD *ui_method, void *ui_data) { return ossl_pw_set_ui_method(&ctx->pwdata, ui_method, ui_data); } int OSSL_DECODER_CTX_set_pem_password_cb(OSSL_DECODER_CTX *ctx, pem_password_cb *cb, void *cbarg) { return ossl_pw_set_pem_password_cb(&ctx->pwdata, cb, cbarg); } int OSSL_DECODER_CTX_set_passphrase_cb(OSSL_DECODER_CTX *ctx, OSSL_PASSPHRASE_CALLBACK *cb, void *cbarg) { return ossl_pw_set_ossl_passphrase_cb(&ctx->pwdata, cb, cbarg); } /* * Support for OSSL_DECODER_CTX_new_for_pkey: * The construct data, and collecting keymgmt information for it */ DEFINE_STACK_OF(EVP_KEYMGMT) struct decoder_pkey_data_st { OSSL_LIB_CTX *libctx; char *propq; int selection; STACK_OF(EVP_KEYMGMT) *keymgmts; char *object_type; /* recorded object data type, may be NULL */ void **object; /* Where the result should end up */ }; static int decoder_construct_pkey(OSSL_DECODER_INSTANCE *decoder_inst, const OSSL_PARAM *params, void *construct_data) { struct decoder_pkey_data_st *data = construct_data; OSSL_DECODER *decoder = OSSL_DECODER_INSTANCE_get_decoder(decoder_inst); void *decoderctx = OSSL_DECODER_INSTANCE_get_decoder_ctx(decoder_inst); const OSSL_PROVIDER *decoder_prov = OSSL_DECODER_get0_provider(decoder); EVP_KEYMGMT *keymgmt = NULL; const OSSL_PROVIDER *keymgmt_prov = NULL; int i, end; /* * |object_ref| points to a provider reference to an object, its exact * contents entirely opaque to us, but may be passed to any provider * function that expects this (such as OSSL_FUNC_keymgmt_load(). * * This pointer is considered volatile, i.e. whatever it points at * is assumed to be freed as soon as this function returns. */ void *object_ref = NULL; size_t object_ref_sz = 0; const OSSL_PARAM *p; p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA_TYPE); if (p != NULL) { char *object_type = NULL; if (!OSSL_PARAM_get_utf8_string(p, &object_type, 0)) return 0; OPENSSL_free(data->object_type); data->object_type = object_type; } /* * For stuff that should end up in an EVP_PKEY, we only accept an object * reference for the moment. This enforces that the key data itself * remains with the provider. */ p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_REFERENCE); if (p == NULL || p->data_type != OSSL_PARAM_OCTET_STRING) return 0; object_ref = p->data; object_ref_sz = p->data_size; /* * First, we try to find a keymgmt that comes from the same provider as * the decoder that passed the params. */ end = sk_EVP_KEYMGMT_num(data->keymgmts); for (i = 0; i < end; i++) { keymgmt = sk_EVP_KEYMGMT_value(data->keymgmts, i); keymgmt_prov = EVP_KEYMGMT_get0_provider(keymgmt); if (keymgmt_prov == decoder_prov && evp_keymgmt_has_load(keymgmt) && EVP_KEYMGMT_is_a(keymgmt, data->object_type)) break; } if (i < end) { /* To allow it to be freed further down */ if (!EVP_KEYMGMT_up_ref(keymgmt)) return 0; } else if ((keymgmt = EVP_KEYMGMT_fetch(data->libctx, data->object_type, data->propq)) != NULL) { keymgmt_prov = EVP_KEYMGMT_get0_provider(keymgmt); } if (keymgmt != NULL) { EVP_PKEY *pkey = NULL; void *keydata = NULL; /* * If the EVP_KEYMGMT and the OSSL_DECODER are from the * same provider, we assume that the KEYMGMT has a key loading * function that can handle the provider reference we hold. * * Otherwise, we export from the decoder and import the * result in the keymgmt. */ if (keymgmt_prov == decoder_prov) { keydata = evp_keymgmt_load(keymgmt, object_ref, object_ref_sz); } else { struct evp_keymgmt_util_try_import_data_st import_data; import_data.keymgmt = keymgmt; import_data.keydata = NULL; if (data->selection == 0) /* import/export functions do not tolerate 0 selection */ import_data.selection = OSSL_KEYMGMT_SELECT_ALL; else import_data.selection = data->selection; /* * No need to check for errors here, the value of * |import_data.keydata| is as much an indicator. */ (void)decoder->export_object(decoderctx, object_ref, object_ref_sz, &evp_keymgmt_util_try_import, &import_data); keydata = import_data.keydata; import_data.keydata = NULL; } if (keydata != NULL && (pkey = evp_keymgmt_util_make_pkey(keymgmt, keydata)) == NULL) evp_keymgmt_freedata(keymgmt, keydata); *data->object = pkey; /* * evp_keymgmt_util_make_pkey() increments the reference count when * assigning the EVP_PKEY, so we can free the keymgmt here. */ EVP_KEYMGMT_free(keymgmt); } /* * We successfully looked through, |*ctx->object| determines if we * actually found something. */ return (*data->object != NULL); } static void decoder_clean_pkey_construct_arg(void *construct_data) { struct decoder_pkey_data_st *data = construct_data; if (data != NULL) { sk_EVP_KEYMGMT_pop_free(data->keymgmts, EVP_KEYMGMT_free); OPENSSL_free(data->propq); OPENSSL_free(data->object_type); OPENSSL_free(data); } } struct collect_data_st { OSSL_LIB_CTX *libctx; OSSL_DECODER_CTX *ctx; const char *keytype; /* the keytype requested, if any */ int keytype_id; /* if keytype_resolved is set, keymgmt name_id; else 0 */ int sm2_id; /* if keytype_resolved is set and EC, SM2 name_id; else 0 */ int total; /* number of matching results */ char error_occurred; char keytype_resolved; STACK_OF(EVP_KEYMGMT) *keymgmts; }; static void collect_decoder_keymgmt(EVP_KEYMGMT *keymgmt, OSSL_DECODER *decoder, void *provctx, struct collect_data_st *data) { void *decoderctx = NULL; OSSL_DECODER_INSTANCE *di = NULL; /* * We already checked the EVP_KEYMGMT is applicable in check_keymgmt so we * don't check it again here. */ if (keymgmt->name_id != decoder->base.id) /* Mismatch is not an error, continue. */ return; if ((decoderctx = decoder->newctx(provctx)) == NULL) { data->error_occurred = 1; return; } if ((di = ossl_decoder_instance_new(decoder, decoderctx)) == NULL) { decoder->freectx(decoderctx); data->error_occurred = 1; return; } OSSL_TRACE_BEGIN(DECODER) { BIO_printf(trc_out, "(ctx %p) Checking out decoder %p:\n" " %s with %s\n", (void *)data->ctx, (void *)decoder, OSSL_DECODER_get0_name(decoder), OSSL_DECODER_get0_properties(decoder)); } OSSL_TRACE_END(DECODER); if (!ossl_decoder_ctx_add_decoder_inst(data->ctx, di)) { ossl_decoder_instance_free(di); data->error_occurred = 1; return; } ++data->total; } static void collect_decoder(OSSL_DECODER *decoder, void *arg) { struct collect_data_st *data = arg; STACK_OF(EVP_KEYMGMT) *keymgmts = data->keymgmts; int i, end_i; EVP_KEYMGMT *keymgmt; const OSSL_PROVIDER *prov; void *provctx; if (data->error_occurred) return; prov = OSSL_DECODER_get0_provider(decoder); provctx = OSSL_PROVIDER_get0_provider_ctx(prov); /* * Either the caller didn't give us a selection, or if they did, the decoder * must tell us if it supports that selection to be accepted. If the decoder * doesn't have |does_selection|, it's seen as taking anything. */ if (decoder->does_selection != NULL && !decoder->does_selection(provctx, data->ctx->selection)) return; OSSL_TRACE_BEGIN(DECODER) { BIO_printf(trc_out, "(ctx %p) Checking out decoder %p:\n" " %s with %s\n", (void *)data->ctx, (void *)decoder, OSSL_DECODER_get0_name(decoder), OSSL_DECODER_get0_properties(decoder)); } OSSL_TRACE_END(DECODER); end_i = sk_EVP_KEYMGMT_num(keymgmts); for (i = 0; i < end_i; ++i) { keymgmt = sk_EVP_KEYMGMT_value(keymgmts, i); collect_decoder_keymgmt(keymgmt, decoder, provctx, data); if (data->error_occurred) return; } } /* * Is this EVP_KEYMGMT applicable given the key type given in the call to * ossl_decoder_ctx_setup_for_pkey (if any)? */ static int check_keymgmt(EVP_KEYMGMT *keymgmt, struct collect_data_st *data) { /* If no keytype was specified, everything matches. */ if (data->keytype == NULL) return 1; if (!data->keytype_resolved) { /* We haven't cached the IDs from the keytype string yet. */ OSSL_NAMEMAP *namemap = ossl_namemap_stored(data->libctx); data->keytype_id = ossl_namemap_name2num(namemap, data->keytype); /* * If keytype is a value ambiguously used for both EC and SM2, * collect the ID for SM2 as well. */ if (data->keytype_id != 0 && (strcmp(data->keytype, "id-ecPublicKey") == 0 || strcmp(data->keytype, "1.2.840.10045.2.1") == 0)) data->sm2_id = ossl_namemap_name2num(namemap, "SM2"); /* * If keytype_id is zero the name was not found, but we still * set keytype_resolved to avoid trying all this again. */ data->keytype_resolved = 1; } /* Specified keytype could not be resolved, so nothing matches. */ if (data->keytype_id == 0) return 0; /* Does not match the keytype specified, so skip. */ if (keymgmt->name_id != data->keytype_id && keymgmt->name_id != data->sm2_id) return 0; return 1; } static void collect_keymgmt(EVP_KEYMGMT *keymgmt, void *arg) { struct collect_data_st *data = arg; if (!check_keymgmt(keymgmt, data)) return; /* * We have to ref EVP_KEYMGMT here because in the success case, * data->keymgmts is referenced by the constructor we register in the * OSSL_DECODER_CTX. The registered cleanup function * (decoder_clean_pkey_construct_arg) unrefs every element of the stack and * frees it. */ if (!EVP_KEYMGMT_up_ref(keymgmt)) return; if (sk_EVP_KEYMGMT_push(data->keymgmts, keymgmt) <= 0) { EVP_KEYMGMT_free(keymgmt); data->error_occurred = 1; } } /* * This function does the actual binding of decoders to the OSSL_DECODER_CTX. It * searches for decoders matching 'keytype', which is a string like "RSA", "DH", * etc. If 'keytype' is NULL, decoders for all keytypes are bound. */ static int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX *ctx, const char *keytype, OSSL_LIB_CTX *libctx, const char *propquery) { int ok = 0; struct decoder_pkey_data_st *process_data = NULL; struct collect_data_st collect_data = { NULL }; STACK_OF(EVP_KEYMGMT) *keymgmts = NULL; OSSL_TRACE_BEGIN(DECODER) { const char *input_type = ctx->start_input_type; const char *input_structure = ctx->input_structure; BIO_printf(trc_out, "(ctx %p) Looking for decoders producing %s%s%s%s%s%s\n", (void *)ctx, keytype != NULL ? keytype : "", keytype != NULL ? " keys" : "keys of any type", input_type != NULL ? " from " : "", input_type != NULL ? input_type : "", input_structure != NULL ? " with " : "", input_structure != NULL ? input_structure : ""); } OSSL_TRACE_END(DECODER); /* Allocate data. */ if ((process_data = OPENSSL_zalloc(sizeof(*process_data))) == NULL) goto err; if ((propquery != NULL && (process_data->propq = OPENSSL_strdup(propquery)) == NULL)) goto err; /* Allocate our list of EVP_KEYMGMTs. */ keymgmts = sk_EVP_KEYMGMT_new_null(); if (keymgmts == NULL) { ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_CRYPTO_LIB); goto err; } process_data->object = NULL; process_data->libctx = libctx; process_data->selection = ctx->selection; process_data->keymgmts = keymgmts; /* * Enumerate all keymgmts into a stack. * * We could nest EVP_KEYMGMT_do_all_provided inside * OSSL_DECODER_do_all_provided or vice versa but these functions become * bottlenecks if called repeatedly, which is why we collect the * EVP_KEYMGMTs into a stack here and call both functions only once. * * We resolve the keytype string to a name ID so we don't have to resolve it * multiple times, avoiding repeated calls to EVP_KEYMGMT_is_a, which is a * performance bottleneck. However, we do this lazily on the first call to * collect_keymgmt made by EVP_KEYMGMT_do_all_provided, rather than do it * upfront, as this ensures that the names for all loaded providers have * been registered by the time we try to resolve the keytype string. */ collect_data.ctx = ctx; collect_data.libctx = libctx; collect_data.keymgmts = keymgmts; collect_data.keytype = keytype; EVP_KEYMGMT_do_all_provided(libctx, collect_keymgmt, &collect_data); if (collect_data.error_occurred) goto err; /* Enumerate all matching decoders. */ OSSL_DECODER_do_all_provided(libctx, collect_decoder, &collect_data); if (collect_data.error_occurred) goto err; OSSL_TRACE_BEGIN(DECODER) { BIO_printf(trc_out, "(ctx %p) Got %d decoders producing keys\n", (void *)ctx, collect_data.total); } OSSL_TRACE_END(DECODER); /* * Finish initializing the decoder context. If one or more decoders matched * above then the number of decoders attached to the OSSL_DECODER_CTX will * be nonzero. Else nothing was found and we do nothing. */ if (OSSL_DECODER_CTX_get_num_decoders(ctx) != 0) { if (!OSSL_DECODER_CTX_set_construct(ctx, decoder_construct_pkey) || !OSSL_DECODER_CTX_set_construct_data(ctx, process_data) || !OSSL_DECODER_CTX_set_cleanup(ctx, decoder_clean_pkey_construct_arg)) goto err; process_data = NULL; /* Avoid it being freed */ } ok = 1; err: decoder_clean_pkey_construct_arg(process_data); return ok; } /* Only const here because deep_copy requires it */ static EVP_KEYMGMT *keymgmt_dup(const EVP_KEYMGMT *keymgmt) { if (!EVP_KEYMGMT_up_ref((EVP_KEYMGMT *)keymgmt)) return NULL; return (EVP_KEYMGMT *)keymgmt; } /* * Duplicates a template OSSL_DECODER_CTX that has been setup for an EVP_PKEY * operation and sets up the duplicate for a new operation. * It does not duplicate the pwdata on the assumption that this does not form * part of the template. That is set up later. */ static OSSL_DECODER_CTX * ossl_decoder_ctx_for_pkey_dup(OSSL_DECODER_CTX *src, EVP_PKEY **pkey, const char *input_type, const char *input_structure) { OSSL_DECODER_CTX *dest; struct decoder_pkey_data_st *process_data_src, *process_data_dest = NULL; if (src == NULL) return NULL; if ((dest = OSSL_DECODER_CTX_new()) == NULL) { ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_OSSL_DECODER_LIB); return NULL; } if (!OSSL_DECODER_CTX_set_input_type(dest, input_type) || !OSSL_DECODER_CTX_set_input_structure(dest, input_structure)) { ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_OSSL_DECODER_LIB); goto err; } dest->selection = src->selection; if (src->decoder_insts != NULL) { dest->decoder_insts = sk_OSSL_DECODER_INSTANCE_deep_copy(src->decoder_insts, ossl_decoder_instance_dup, ossl_decoder_instance_free); if (dest->decoder_insts == NULL) { ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_OSSL_DECODER_LIB); goto err; } } if (!OSSL_DECODER_CTX_set_construct(dest, OSSL_DECODER_CTX_get_construct(src))) { ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_OSSL_DECODER_LIB); goto err; } process_data_src = OSSL_DECODER_CTX_get_construct_data(src); if (process_data_src != NULL) { process_data_dest = OPENSSL_zalloc(sizeof(*process_data_dest)); if (process_data_dest == NULL) { ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_CRYPTO_LIB); goto err; } if (process_data_src->propq != NULL) { process_data_dest->propq = OPENSSL_strdup(process_data_src->propq); if (process_data_dest->propq == NULL) { ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_CRYPTO_LIB); goto err; } } if (process_data_src->keymgmts != NULL) { process_data_dest->keymgmts = sk_EVP_KEYMGMT_deep_copy(process_data_src->keymgmts, keymgmt_dup, EVP_KEYMGMT_free); if (process_data_dest->keymgmts == NULL) { ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_EVP_LIB); goto err; } } process_data_dest->object = (void **)pkey; process_data_dest->libctx = process_data_src->libctx; process_data_dest->selection = process_data_src->selection; if (!OSSL_DECODER_CTX_set_construct_data(dest, process_data_dest)) { ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_OSSL_DECODER_LIB); goto err; } process_data_dest = NULL; } if (!OSSL_DECODER_CTX_set_cleanup(dest, OSSL_DECODER_CTX_get_cleanup(src))) { ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_OSSL_DECODER_LIB); goto err; } return dest; err: if (process_data_dest != NULL) { OPENSSL_free(process_data_dest->propq); sk_EVP_KEYMGMT_pop_free(process_data_dest->keymgmts, EVP_KEYMGMT_free); OPENSSL_free(process_data_dest); } OSSL_DECODER_CTX_free(dest); return NULL; } typedef struct { char *input_type; char *input_structure; char *keytype; int selection; char *propquery; OSSL_DECODER_CTX *template; } DECODER_CACHE_ENTRY; DEFINE_LHASH_OF_EX(DECODER_CACHE_ENTRY); typedef struct { CRYPTO_RWLOCK *lock; LHASH_OF(DECODER_CACHE_ENTRY) *hashtable; } DECODER_CACHE; static void decoder_cache_entry_free(DECODER_CACHE_ENTRY *entry) { if (entry == NULL) return; OPENSSL_free(entry->input_type); OPENSSL_free(entry->input_structure); OPENSSL_free(entry->keytype); OPENSSL_free(entry->propquery); OSSL_DECODER_CTX_free(entry->template); OPENSSL_free(entry); } static unsigned long decoder_cache_entry_hash(const DECODER_CACHE_ENTRY *cache) { unsigned long hash = 17; hash = (hash * 23) + (cache->propquery == NULL ? 0 : ossl_lh_strcasehash(cache->propquery)); hash = (hash * 23) + (cache->input_structure == NULL ? 0 : ossl_lh_strcasehash(cache->input_structure)); hash = (hash * 23) + (cache->input_type == NULL ? 0 : ossl_lh_strcasehash(cache->input_type)); hash = (hash * 23) + (cache->keytype == NULL ? 0 : ossl_lh_strcasehash(cache->keytype)); hash ^= cache->selection; return hash; } static ossl_inline int nullstrcmp(const char *a, const char *b, int casecmp) { if (a == NULL || b == NULL) { if (a == NULL) { if (b == NULL) return 0; else return 1; } else { return -1; } } else { if (casecmp) return OPENSSL_strcasecmp(a, b); else return strcmp(a, b); } } static int decoder_cache_entry_cmp(const DECODER_CACHE_ENTRY *a, const DECODER_CACHE_ENTRY *b) { int cmp; if (a->selection != b->selection) return (a->selection < b->selection) ? -1 : 1; cmp = nullstrcmp(a->keytype, b->keytype, 1); if (cmp != 0) return cmp; cmp = nullstrcmp(a->input_type, b->input_type, 1); if (cmp != 0) return cmp; cmp = nullstrcmp(a->input_structure, b->input_structure, 1); if (cmp != 0) return cmp; cmp = nullstrcmp(a->propquery, b->propquery, 0); return cmp; } void *ossl_decoder_cache_new(OSSL_LIB_CTX *ctx) { DECODER_CACHE *cache = OPENSSL_malloc(sizeof(*cache)); if (cache == NULL) return NULL; cache->lock = CRYPTO_THREAD_lock_new(); if (cache->lock == NULL) { OPENSSL_free(cache); return NULL; } cache->hashtable = lh_DECODER_CACHE_ENTRY_new(decoder_cache_entry_hash, decoder_cache_entry_cmp); if (cache->hashtable == NULL) { CRYPTO_THREAD_lock_free(cache->lock); OPENSSL_free(cache); return NULL; } return cache; } void ossl_decoder_cache_free(void *vcache) { DECODER_CACHE *cache = (DECODER_CACHE *)vcache; lh_DECODER_CACHE_ENTRY_doall(cache->hashtable, decoder_cache_entry_free); lh_DECODER_CACHE_ENTRY_free(cache->hashtable); CRYPTO_THREAD_lock_free(cache->lock); OPENSSL_free(cache); } /* * Called whenever a provider gets activated/deactivated. In that case the * decoders that are available might change so we flush our cache. */ int ossl_decoder_cache_flush(OSSL_LIB_CTX *libctx) { DECODER_CACHE *cache = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_DECODER_CACHE_INDEX); if (cache == NULL) { ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_OSSL_DECODER_LIB); return 0; } if (!CRYPTO_THREAD_write_lock(cache->lock)) { ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_OSSL_DECODER_LIB); return 0; } lh_DECODER_CACHE_ENTRY_doall(cache->hashtable, decoder_cache_entry_free); lh_DECODER_CACHE_ENTRY_flush(cache->hashtable); CRYPTO_THREAD_unlock(cache->lock); return 1; } OSSL_DECODER_CTX * OSSL_DECODER_CTX_new_for_pkey(EVP_PKEY **pkey, const char *input_type, const char *input_structure, const char *keytype, int selection, OSSL_LIB_CTX *libctx, const char *propquery) { OSSL_DECODER_CTX *ctx = NULL; OSSL_PARAM decoder_params[] = { OSSL_PARAM_END, OSSL_PARAM_END }; DECODER_CACHE *cache = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_DECODER_CACHE_INDEX); DECODER_CACHE_ENTRY cacheent, *res, *newcache = NULL; if (cache == NULL) { ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_OSSL_DECODER_LIB); return NULL; } if (propquery != NULL) decoder_params[0] = OSSL_PARAM_construct_utf8_string(OSSL_DECODER_PARAM_PROPERTIES, (char *)propquery, 0); /* It is safe to cast away the const here */ cacheent.input_type = (char *)input_type; cacheent.input_structure = (char *)input_structure; cacheent.keytype = (char *)keytype; cacheent.selection = selection; cacheent.propquery = (char *)propquery; if (!CRYPTO_THREAD_read_lock(cache->lock)) { ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_CRYPTO_LIB); return NULL; } /* First see if we have a template OSSL_DECODER_CTX */ res = lh_DECODER_CACHE_ENTRY_retrieve(cache->hashtable, &cacheent); if (res == NULL) { /* * There is no template so we will have to construct one. This will be * time consuming so release the lock and we will later upgrade it to a * write lock. */ CRYPTO_THREAD_unlock(cache->lock); if ((ctx = OSSL_DECODER_CTX_new()) == NULL) { ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_OSSL_DECODER_LIB); return NULL; } OSSL_TRACE_BEGIN(DECODER) { BIO_printf(trc_out, "(ctx %p) Looking for %s decoders with selection %d\n", (void *)ctx, keytype, selection); BIO_printf(trc_out, " input type: %s, input structure: %s\n", input_type, input_structure); } OSSL_TRACE_END(DECODER); if (OSSL_DECODER_CTX_set_input_type(ctx, input_type) && OSSL_DECODER_CTX_set_input_structure(ctx, input_structure) && OSSL_DECODER_CTX_set_selection(ctx, selection) && ossl_decoder_ctx_setup_for_pkey(ctx, keytype, libctx, propquery) && OSSL_DECODER_CTX_add_extra(ctx, libctx, propquery) && (propquery == NULL || OSSL_DECODER_CTX_set_params(ctx, decoder_params))) { OSSL_TRACE_BEGIN(DECODER) { BIO_printf(trc_out, "(ctx %p) Got %d decoders\n", (void *)ctx, OSSL_DECODER_CTX_get_num_decoders(ctx)); } OSSL_TRACE_END(DECODER); } else { ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_OSSL_DECODER_LIB); OSSL_DECODER_CTX_free(ctx); return NULL; } newcache = OPENSSL_zalloc(sizeof(*newcache)); if (newcache == NULL) { OSSL_DECODER_CTX_free(ctx); return NULL; } if (input_type != NULL) { newcache->input_type = OPENSSL_strdup(input_type); if (newcache->input_type == NULL) goto err; } if (input_structure != NULL) { newcache->input_structure = OPENSSL_strdup(input_structure); if (newcache->input_structure == NULL) goto err; } if (keytype != NULL) { newcache->keytype = OPENSSL_strdup(keytype); if (newcache->keytype == NULL) goto err; } if (propquery != NULL) { newcache->propquery = OPENSSL_strdup(propquery); if (newcache->propquery == NULL) goto err; } newcache->selection = selection; newcache->template = ctx; if (!CRYPTO_THREAD_write_lock(cache->lock)) { ctx = NULL; ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_CRYPTO_LIB); goto err; } res = lh_DECODER_CACHE_ENTRY_retrieve(cache->hashtable, &cacheent); if (res == NULL) { (void)lh_DECODER_CACHE_ENTRY_insert(cache->hashtable, newcache); if (lh_DECODER_CACHE_ENTRY_error(cache->hashtable)) { ctx = NULL; ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_CRYPTO_LIB); goto err; } } else { /* * We raced with another thread to construct this and lost. Free * what we just created and use the entry from the hashtable instead */ decoder_cache_entry_free(newcache); ctx = res->template; } } else { ctx = res->template; } ctx = ossl_decoder_ctx_for_pkey_dup(ctx, pkey, input_type, input_structure); CRYPTO_THREAD_unlock(cache->lock); return ctx; err: decoder_cache_entry_free(newcache); OSSL_DECODER_CTX_free(ctx); return NULL; }